TIBCO ActiveMatrix BPM Open Redirect Vulnerability

  Original release date: April 24, 2019
  Last revised: --
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO ActiveMatrix BPM versions 4.2.0 and below

  TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric versions 4.2.0
    and below

  TIBCO Silver Fabric Enabler for ActiveMatrix BPM versions 1.4.1 and below

  The following components are affected:

    * Workspace client
    * Openspace client
    * App development client


Description

  The components listed above contain a vulnerability wherein a malicious
  URL could trick a user into visiting a website of the attacker's choice.


Impact

  The impact of this vulnerability includes the theoretical possibility that
  a user could be tricked into visiting a malicious website.

  CVSS v3 Base Score: 4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N)


Solution

  TIBCO has released updated versions of the affected components which address
  these issues.

  For each affected system, update to the corresponding software versions:

  TIBCO ActiveMatrix BPM versions 4.2.0 and below update to version 4.3.0
    or higher

  TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric versions 4.2.0
    and below update to version 4.3.0 or higher

  TIBCO Silver Fabric Enabler for ActiveMatrix BPM versions 1.4.1 and below
    update to version 1.4.2 or higher


References

  http://www.tibco.com/services/support/advisories
  CVE: CVE-2019-8995